With the advent of the cloud era based on server virtualisation technology, businesses on the Web are becoming more flexible, saving costs, and often finding it easier to use. The cloud is becoming unavoidable, but, in these environments, the issue of data protection must be resolved. Unfortunately, there are still many misconceptions.
Secure cloud: avoid misconceptions
To secure your cloud environment, the first element to consider is data sovereignty, i.e. the physical location where the data is stored and where the company storing it is located. The company’s location and headquarters determine the laws and regulations that apply. Therefore, you should study the laws and standards of the country without being frightened by the slightest mention of the Patriot Act, for example.
On the other hand, you shouldn’t blindly trust the standards put forward by service providers, such as ISO 27001. The AWS infrastructure is PCI-DSS certified, but that doesn’t mean that all the companies hosted on AWS have this certification by default. This simply shows that you can obtain this certification on an AWS environment since it is compliant. It’s the same at NBS System: the CerberHost secure cloud environment is PCI-DSS compliant, but only some clients have asked to be certified and respect the procedures required by this standard.
Finally, one misconception that persists is that public clouds are less secure than private clouds. This is because we imagine there are shared servers on public clouds and dedicated servers on private clouds. However, it is possible and even recommended to create a virtual private space within a public cloud to overcome this difference. Rather than “which cloud should I choose?”, the question is really “how can I secure my environment on any cloud?”.
Cloud security: follow best practice
Your cloud providers take care of the security of their infrastructure, which they then provide to you, and provide tools to protect your architecture (that is, your system hosted on their infrastructure), but they do not guarantee your data’s protection. You (with the help of your outsourcer or a consultant) are solely responsible for securing your servers. This requires a good risk assessment and choosing appropriate solutions to protect yourself.
The first step is to refine your source code to leave no vulnerabilities. Before you deploy your environment, perform a source code audit or intrusion tests to reveal any flaws and correct them before they are exploited. Our security experts recommend repeating these tests every two years to check that no vulnerability has been forgotten or exposed by an upgrade, an additional module, or a new development, for example.
Above your source code, there is your web application. WordPress, Magento, Drupal, or Typo3, it’s up to you to choose the one that fits your needs, knowing that some are known to be more secure than others. In any case, vulnerabilities are regularly published for these technologies; you must perform regular updates to stay protected and maintain a secure cloud environment.
Finally, there is your cloud architecture. As we have said, the type of cloud you choose is not important; it’s how you build your platform that matters. There are many solutions to counter any type of malicious attack: anti-DDoS, application firewall, intrusion detection system, etc. Again, it’s your choice to make, taking in consideration the risks your company faces. And above all, encrypt your data!
However, be careful: using a lot of security tools is not a best practice if they do not interface with each other. A cloud environment’s security must be considered in its entirety: the whole is greater than the sum of its parts. This is also the principle that our security team applied when creating our high-security cloud solution CerberHost. Another point to consider is to make sure that the solutions you choose are adapted for use on the cloud!
Security training: a requirement for your teams
Finally, don’t neglect the human aspect, since this is still involved in most large data losses and thefts. Contrary to popular belief, it is not just malicious acts (a former employee seeking revenge, financial interests, etc.) or an employee falling into a hacker’s trap, but often simple negligence or human error. Intrusions or internal losses can take several forms: entering a password on a train without a privacy filter, forgetting a USB drive, theft of professional equipment, personal use of a professional device or BYOD, sharing sensitive data without knowing its criticality, etc.
Training or awareness-raising sessions on best business security practices will help your teams be prepared and reduce your risk of a social engineering attack. Similarly, pay special attention to how access rights to your information system are managed, be it internally or with your service providers: trust, but verify. Limit access to your platforms to what is strictly necessary, even if you must give additional temporary or exceptional permissions.
Data protection is NBS System’s core expertise
At NBS System, be it on your private cloud or on AWS’s public cloud, your servers have protection by default (enhanced kernels, secure infrastructure head, anti-DDoS protection, etc.). Our teams are here to support you in protecting your computing and web application data.
Our IT security experts have also developed a high-security hosting solution, CerberHost. Tested and proven by professionals and equipped with several layers of security and a system that updates itself based on penetration attempts, CerberHost is made for businesses with significant IT security needed.